17 May 2004

Regulation Compliance Tops Companies' Security Concerns

Just a few short years ago, the primary security-related concern for most IT executives was how to prevent hackers from infiltrating their companies' systems. Although that issue still is quite relevant, it's no longer the top concern of many organizations. Today, that honor goes to how to comply with the increasing number of regulatory and compliance mandates required by the U.S. government. Some of these requirements, such as Graham-Leach-Bliley and Sarbanes-Oxley, apply to virtually all corporations, while others, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Basel II Accord, affect specific industries.

The unifying thread among all of these mandates is the need to adequately protect personal information—an issue that can cause significant challenge and confusion for IT managers who are unfamiliar with the available tools and methods for satisfying these requirements.

Helping organizations comply with this panoply of regulations, however, has created significant opportunity for resellers, says Ed Smith, director of security solutions at Forsythe Technology Inc., a technology infrastructure solution provider based in Skokie, Ill.

"These regulations don't require specific technology, which makes them confusing and vague. Some say you have to provide access control, for example, but they don't specify how to do it," Smith says. To solve the problem, many organizations are turning to resellers who specialize in building compliance-ready environments and stand ready to map those environments to the organization's framework, best practices and standards.

Resellers and systems integrators fulfill a real need in the compliance arena, agrees Michael Rasmussen, director of information security at Forrester Research Inc., a Cambridge, Mass., IT consultancy.

Not only is there no off-the-shelf product to deal with compliance and security issues, but creativity and ingenuity tend to be key to success, Rasmussen says. "It's about building a culture of security and governance within the organization, as well as selecting the right products and assigning the appropriate management and staffing to them."

Although not yet a requirement, the government's recent push to address cyber-security is beginning to rank nearly as high a regulatory compliance for companies trying to stay on the cutting edge of security requirements. Spearheaded by the National Cyber Security Partnership Task Force, a public-private partnership led by a variety of trade groups and the U.S. Chamber of Commerce, the goal is to develop strategies to better secure critical information infrastructure.

Slowly but surely, the push to implement better cyber-security is trickling down from government to private industry, encouraging resellers to develop solutions and methodologies for implementing these practices within their client base.

"We're encouraging the private sector to adopt what's happening in the public sector because cyber-security cuts across everything and should be part of the overall business model," says Jeff Tye, founder of GMP Networks, a Tucson, Ariz. ,security integrator.

But at least for now, compliance and cyber-security issues remain more relevant to larger companies than smaller ones. These issues, generally grouped under the term "information security," include financial integrity, regulatory compliance, privacy, intellectual property and industrial espionage. Smaller companies, on the other hand, tend to remain focused on IT security—technology that includes firewalls, disaster recovery, patch management, intrusion-detection systems, and encryption and anti-virus software.

That's changing, but slowly, Smith notes. "You have to become a trusted adviser beyond just offering the latest technology. It's about understanding their problems and then developing an appropriate solution—whatever the need."

GLOSSARY OF TERMS

Sarbanes-Oxley Act of 2002: Mandates a comprehensive accounting framework for all public companies doing business in the United States. Companies must disclose all relevant financial performance information publicly, creating the need for more stringent digital data integrity and accountability controls.
Health Insurance Portability and Accountability Act of 1996 (HIPAA): One part of this act deals with the standardization of health care-related information systems, establishing standardized mechanisms for electronic data interchange, security and confidentiality of all health care-related data.
Graham-Leach-Bliley Act of 1999: To protect consumers' financial private information. It put processes in place to control the use of consumers' private information and included requirements to secure and protect the data from unauthorized use or access.

Basel II: The Basel II Accord is a regulatory framework governing risk management practices, developed by the Bank of International Settlements. Companies have until the end of 2006 to comply with it. The accord consists of minimum capital requirement, supervisory review of capital adequacy and public disclosure. And new guidelines on operational risk may cause banks to need to implement more comprehensive business continuity solutions. Once finalized, it will give banks a more standard way of evaluating risk.

Cyber-security: Simply put, cyber-security is the act of protecting all corporate information from potential harm through identification, protection and defense. The U.S. government is doing its best to encourage organizations to deal with cyber-security. The National Cyber Security Partnership Task Force, for example, recently issued a report recommending ways of reducing security vulnerabilities by adopting existing standards and best practices, using common software security configurations, developing guidelines for secure equipment deployment and network architectures, and improving the processes commonly used to develop security specifications and conduct security evaluations.

No comments:

Post a Comment

About

Operational Risk is defined as the risk of loss resulting from inadequate or failed processes, people, and systems or from external events. The definition includes legal risk, which is the risk of loss resulting from failure to comply with laws as well as prudent ethical standards and contractual obligations. It also includes exposure to litigation from all aspects of an institutions activities.

"The Only Thing Necessary For Evil To Triumph Is For Good Men To Do Nothing." --E. Burke